Security
Headlines
HeadlinesLatestCVEs

Headline

FBI confirms Barracuda patch is not effective for exploited ESG appliances

Categories: Exploits and vulnerabilities Categories: News Tags: Barracuda ESG

Tags: CVE-2023-2868

Tags: SEASPY

Tags: SUBMARINE

Tags: WHIRLPOOL

The FBI repeats the warning by Barracuda that all ESG appliances should immediately be replaced because the patch was ineffective.

(Read more…)

The post FBI confirms Barracuda patch is not effective for exploited ESG appliances appeared first on Malwarebytes Labs.

Malwarebytes
#vulnerability#backdoor#perl#zero_day

In an FBI Flash about a Barracuda ESG vulnerability, listed as CVE-2023-2868, the FBI has stated that the patches released by Barracuda in response to this CVE were ineffective for anyone previously infected. Although both Barracude and Mandiant have already made this determination, the agency says it has “independently verified” it.

As we explained in an earlier post, the zero-day vulnerability was reportedly used in targeted attacks for months before the patch was issued, by a group that allegedly has ties to China.

On May 23, 2023, Barracuda posted that “a security patch to eliminate the vulnerability was applied to all ESG appliances worldwide on Saturday, May 20, 2023.” The patch was followed by another on May 21, and users with impacted appliances were reportedly “notified via the ESG user interface of actions to take.”

On June 6, 2023, Barracuda sent out an action notice informing customers that impacted ESG appliances must be replaced immediately, signalling that patching alone would not suffice on an already-infected device.

Compromised ESG appliances must be immediately replaced regardless of patch version level. Only a subset of ESG appliances have shown any known indicators of compromise, and are identified by a message in the appliance User Interface.

On July 28, the company explained that SUBMARINE malware was found on infected devices that had been patched

This additional malware was utilized by the threat actor in response to Barracuda’s remediation actions in an attempt to create persistent access on customer ESG appliances. This malware appeared on a very small number of already compromised ESG appliances.

In a blog post today, Mandiant confirmed that the patches appear to be effective, saying that since Barracuda released its patches, “Mandiant and Barracuda have not identified evidence of successful exploitation of CVE-2023-2868 resulting in any newly compromised physical or virtual ESG appliances.” The company goes on to reiterate that compromised organizations should replace their appliances:

…a limited number of previously impacted victims remain at risk due to this campaign … Mandiant’s recommendations remain unchanged — victims impacted by this campaign should contact Barracuda support and replace the compromised appliance.

The FBI has now independently verified the same findings.

the FBI has independently verified that all exploited ESG appliances, even those with patches pushed out by Barracuda, remain at risk for continued computer network compromise from suspected PRC cyber actors exploiting this vulnerability.

The flaw in Barracuda’s appliance is a remote command injection vulnerability which exists in the Barracuda Email Security Gateway (appliance form factor only). The vulnerability stems from incomplete input validation of file names contained in .tar file attachments. As a consequence, a remote attacker could specifically format these file names in a way that results in remotely executing a system command through Perl’s qx operator, with the privileges of the Email Security Gateway product.

According to the FBI, the cybercriminals utilized this vulnerability to insert malicious payloads onto the ESG appliance with a variety of capabilities that enabled persistent access, email scanning, credential harvesting, and data exfiltration.

The Cybersecurity and Infrastructure Security Agency (CISA) has published four malware analysis reports based on malware variants associated with the exploitation of this vulnerability in Barracuda ESG appliances.

The CISA reports address:

  • Barracuda Exploit Payload and Backdoor
  • SEASPY
  • SUBMARINE
  • WHIRLPOOL

In these reports and the FBI Flash you can find a host of Indicators of Compromise that are certainly worth pursuing if you have or had the Barracuda ESG appliance in your environment between October 2022 and now.

The FBI recommends that customers who used enterprise privileged credentials for management of their Barracuda appliances (such as Active Directory Domain Admin) should immediately take incident investigation steps to verify the use and behavior of any credentials used on their devices. Investigation steps may include:

  • Review email logs to identify the initial point of exposure
  • Revoke and rotate all domain-based and local credentials that were on the ESG at the time of compromise
  • Revoke and reissue all certificates that were on the ESG at the time of compromise
  • Monitor entire network for the use of credentials that were on the ESG at the time of compromise
  • Review network logs for signs of data exfiltration and lateral movement
  • Capture forensic image of the appliance and conduct a forensic analysis

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Related news

Chinese Hackers Exploited New Zero-Day in Barracuda's ESG Appliances

Barracuda has revealed that Chinese threat actors exploited a new zero-day in its Email Security Gateway (ESG) appliances to deploy backdoor on a "limited number" of devices. Tracked as CVE-2023-7102, the issue relates to a case of arbitrary code execution that resides within a third-party and open-source library Spreadsheet::ParseExcel that's used by the Amavis scanner within the

Chinese Hacking Group Exploits Barracuda Zero-Day to Target Government, Military, and Telecom

A suspected Chinese-nexus hacking group exploited a recently disclosed zero-day flaw in Barracuda Networks Email Security Gateway (ESG) appliances to breach government, military, defense and aerospace, high-tech industry, and telecom sectors as part of a global espionage campaign. Mandiant, which is tracking the activity under the name UNC4841, described the threat actor as "highly responsive to

Urgent FBI Warning: Barracuda Email Gateways Vulnerable Despite Recent Patches

The U.S. Federal Bureau of Investigation (FBI) is warning that Barracuda Networks Email Security Gateway (ESG) appliances patched against a recently disclosed critical flaw continue to be at risk of potential compromise from suspected Chinese hacking groups. It also deemed the fixes as "ineffective" and that it "continues to observe active intrusions and considers all affected Barracuda ESG

Compromised Barracuda appliances equipped with persistent backdoors by attackers

Categories: Exploits and vulnerabilities Categories: News Tags: Barracuda Tags: ESG Tags: CVE-2023-2868 Tags: SUBMARINE Tags: SEASPY Tags: shell CISA has released three reports based on the analysis of backdoors planted on compromised Barracuda ESG appliances (Read more...) The post Compromised Barracuda appliances equipped with persistent backdoors by attackers appeared first on Malwarebytes Labs.

Hackers Deploy "SUBMARINE" Backdoor in Barracuda Email Security Gateway Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday disclosed details of a "novel persistent backdoor" called SUBMARINE deployed by threat actors in connection with the hack on Barracuda Email Security Gateway (ESG) appliances. "SUBMARINE comprises multiple artifacts — including a SQL trigger, shell scripts, and a loaded library for a Linux daemon — that together enable

Critical Barracuda ESG Zero-Day Linked to Novel Chinese APT

A PRC-aligned actor used a trio of custom malware to take advantage of inherent weaknesses in edge appliances.

Chinese UNC4841 Group Exploits Zero-Day Flaw in Barracuda Email Security Gateway

A suspected China-nexus threat actor dubbed UNC4841 has been linked to the exploitation of a recently patched zero-day flaw in Barracuda Email Security Gateway (ESG) appliances since October 2022. "UNC4841 is an espionage actor behind this wide-ranging campaign in support of the People's Republic of China," Google-owned Mandiant said in a new report published today, describing the group as "

Barracuda Urges Replacing — Not Patching — Its Email Security Gateways

It's not often that a zero-day vulnerability causes a network security vendor to urge customers to physically remove and decommission an entire line of affected hardware -- as opposed to just applying software updates. But experts say that is exactly what transpired this week with Barracuda Networks, as the company struggled to combat a sprawling malware threat which appears to have undermined its email security appliances in such a fundamental way that they can no longer be safely updated with software fixes.

Barracuda Urges Immediate Replacement of Hacked ESG Appliances

Enterprise security company Barracuda is now urging customers who were impacted by a recently disclosed zero-day flaw in its Email Security Gateway (ESG) appliances to immediately replace them. "Impacted ESG appliances must be immediately replaced regardless of patch version level," the company said in an update, adding its "remediation recommendation at this time is full replacement of the

Alert: Hackers Exploit Barracuda Email Security Gateway 0-Day Flaw for 7 Months

Enterprise security firm Barracuda on Tuesday disclosed that a recently patched zero-day flaw in its Email Security Gateway (ESG) appliances had been abused by threat actors since October 2022 to backdoor the devices. The latest findings show that the critical vulnerability, tracked as CVE-2023-2868 (CVSS score: N/A), has been actively exploited for at least seven months prior to its discovery.

Barracuda Warns of Zero-Day Exploited to Breach Email Security Gateway Appliances

Email protection and network security services provider Barracuda is warning users about a zero-day flaw that it said has been exploited to breach the company's Email Security Gateway (ESG) appliances. The zero-day is being tracked as CVE-2023-2868 and has been described as a remote code injection vulnerability affecting versions 5.1.3.001 through 9.2.0.006. The California-headquartered firm

Malwarebytes: Latest News

TikTok ordered to close Canada offices following “national security review”